Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-12673

Authenticated RCE vulnerability via ActiveMQ Minion payload deserialization

    XMLWordPrintable

Details

    • Horizon 2020 - April 15th

    Description

      The disclosing researcher writes:

      I began to have a look at your software (suite) OpenNMS. Yesterday, I found that one could get Remote Code Execution (RCE) via malicious MQ messages
      on the Horizon base station from a remote machine with minion credentials. At least that was the case I found quickly to be valid with respect to the role model.
      Find attached a short write-up describing a little bit more on the exploitation steps.

      The referenced write-up is included as a PDF attachment.

      Attachments

        Activity

          People

            j-white Jesse White
            jeffg Jeff Gehlbach
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: